Input validation error in dnsdist - CVE-2018-14663
Published: July 3, 2023
Vulnerability identifier: #VU77909
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-14663
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: PowerDNS.COM B.V.
Affected software:
dnsdist
dnsdist
Detailed vulnerability description
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to insufficient validation of user-supplied input when processing DNS queries. A remote attacker can smuggle certain DNS records into the DNS backend and perform spoofing attack. This issue occurs only when either the ‘useClientSubnet’ or the experimental ‘addXPF’ parameters are used when declaring a new backend.
How to mitigate CVE-2018-14663
Install updates from vendor's website.